timed concurrent state machines - arxiv · title: timed concurrent state machines abstract. timed...
Post on 12-May-2020
30 Views
Preview:
TRANSCRIPT
Timed Concurrent State Machines
Wiktor B. Daszczuk
Institute of Computer Science,
Warsaw University of Technology,
Nowowiejska str.15/19, 00-665 Warsaw, Poland wbd@ii.pw.edu.pl
Title: Timed Concurrent State Machines
Abstract. Timed Concurrent State Machines are an application of Alur’s Timed
Automata concept to coincidence-based (rather than interleaving) CSM model-
ing technique. TCSM support the idea of testing automata, allowing to specify
time properties easier than temporal formulas. Also, calculation of a global state
space in real-time domain (Region Concurrent State Machines) is defined, al-
lowing to store a verified system in ready-to-verification form, and to multiply
it by various testing automata.
Keywords: model checking, real time verification, timed automata
Tytuł: Współbieżne Maszyny Stanowe z Czasem
Streszczenie. Współbieżne Maszyny Stanowe z Czasem TCSM są aplikacją
Automatów Czasowych Alura w środowisku koincydencyjnycm Współbieżnych
Maszyn Czasowych CSM (w przeciwieństwie do środowisk przeplotowych).
TCSM pasują do idei automatów testujacych, które pozwalają wyspecyfikować
zależności czasowe łatwiej niż poprzez formuły temporalne. Ponadto zdefinio-
wano sposób wyznaczania globalnej przestrzeni stanów w dziedzinie czasu
(Współbieżne Maszyny Stanowe Regionów RCSM), co pozwala przechowywać
badany system w postaci gotowej do weryfikacji i mnożyć go przez różne au-
tomaty testujące.
Słowa kluczowe: weryfikacja modelowa, weryfikacja w czasie rzeczywistym,
automaty czasowe
1 Introduction
In [1,2], Alur presented a successful idea of introducing real time to the specification
of concurrent system. A kind of Büchi automata (with real-valued clocks added) is
used. The strength of this method is compositionality, i.e. an automaton representing a
concurrent system is compound from individual automata of components. In ICS
WUT, another modeling technique called CSM (Concurrent State Machines) is used
[9]. The components of concurrent CSM system, called automata for simplicity, differ
from Büchi automata in several assumptions, the most important are:
Transitions are triggered by compositions of signals (the domain of transition
function is 2{input_alphabet}
rather than input alphabet itself); this means parallel-
ism related to input alphabet.
Transitions in distinct automata are executed in parallel rather than interleaved;
this means parallelism in actions.
The main notions of TCSM are defined quite similarly to TA. However, the main exten-
sion of TCSM is that the product operation is defined for RCSM (corresponding to Re-
gion Automata). This unique feature allows a verification system to store a state space of
a system under test in a form of RCSM, called “automaton under test”. A system is form
of RCSM can be checked against temporal formulas, but we prefer other verification
technique, consisting of three phases:
construction of an RCSM “testing automaton” representing needed (or converse-
ly, unneeded) feature; the automaton may be designed by a user or obtained au-
tomatically from other form defining the behavior (for example UML sequence
diagram, collaboration diagram or state diagram);
obtaining a product of the automaton under test with testing automaton;
reduction of output product using the reduction algorithm presented in
[7,11,12,13];
“safety” features are verified by checking the existence of “error states” in re-
duced output product;
“liveness” features are verified by testing output product against stuttering of giv-
en states of testing automaton (this technique elaborated by Jerzy Mieściki is a
subject of a separate paper under preparation).
The presented verification technique is useful for a designer which does not know a
temporal logic, or when it is difficult to express the desired feature in terms of a temporal
logic. Also, behavioral conditions may be automatically converted to testing automata
from other modeling formalisms.
2 Definition of CSM
Before introduction of real time, a timeless version of CSM will be defined.
universe U - a countable set of elementary symbols called signals x U,
alphabet A U (finite subset),
atomic Boolean formula x 1 ; a formula x is satisfied if a signal x occurs,
Boolean formula w – a sentence in traditional Boolean algebra over atomic
Boolean formulas x | x U and special symbols {false, true},, , ¬2,
1 The usage of underlined signals and occurrences of signals written in italics highlights the differ-
ence between the name of a signal (underlined: x) and expressing the fact that the signal is being
generated (italics: x).
sig(w) - set of signals occurring in Boolean formula w,
W - set of all Boolean formulas w.
We will identify a formula w with a Boolean function f such that for every set of occur-
rences of signals the formula w is satisfied iff the function f gives the value true. The
values of special Boolean formulas are: is always false, is always true.
CSM automaton p ≝ < S, form, out, sinit >3:
S - finite set of states (nodes in a graph representation),
transition function form: SS W (labels of transitions in graph); form is as-
sumed total, i.e. defined for every pair (s,s') SS (formulas and are valid
values of form); void transitions (s,s') such that form(s,s') = are usually
skipped in a graph representation,
output function out: S 2U is a function assigning subsets of signals to states (if
xout(s) then we say that the signal x is generated by state s),
unique initial state sinit S.
The CSM automaton is assumed to be transition-complete, i.e. for any sS the disjunc-
tion of formulas for all pairs (s,s’) SS is true.
Alphabets of an automaton p:
Input alphabet INP(p) U – set of all signals referred to in form’s range.
Output alphabet OUT(p) U – union of all sets out(s).
External input alphabet EXT(p) U – set of input signals coming from the
environment; EXT(p)= INP(p)- OUT(p).
Total alphabet ALL(p) U – union of input and output alphabets.
There is no requirement for sets INP(p) and OUT(p) to be disjoint: a signal may be gen-
erated in a state of an automaton and accepted on a transition in the same automaton.
An output formula (s) of the state sS is a conjunction of affirmation of all signals
belonging to out(s) and negations of all signals belonging to OUT(p)-out(s).
A state s'S is a successor of state sS: s r s’ iff form(s,s') * (s) . Note that
some non-void transitions may lead to states that are not successors due to signals ap-
pearing in output formula, for example if for the state s and its successors s1,s2 in automa-
ton p: form(s,s1)=ab, form(s,s2)=a+b, out(s)={a,b}, OUT(p)={a,b,c}, then s1 is a
successor of s because form(s,s1)*(s) = (ab)*(ab*c) = ab*c , and s2 is not a
successor of s since form(s,s2)*(s) = (a+b)*(ab*c) = .
Reachability relation (denoted R) is a transitive extension of r.
Let p be a CSM automaton, wW be a Boolean formula and X ALL(p). We re-
place in w all atomic Boolean formulas x referring to signals x X by symbol and all
atomic Boolean formulas referring to y OUT(p)-X by symbol . The formula w' thus
obtained is called reduced by X, denoted w’=w\\X. For example if OUT(p)={a,c,d}
then the formula w=ab+c+d reduced by the set {a,c} is
w’=w\\{a,c}= b+ + =b+ + =b.
2 For compatibility with the COSMA environment, the conjunction of signals’ occurrences is
denoted as * (instead of ) or no symbol between signals. Disjunction of signals’ occurrences
is denoted as + (instead of ). This notation is used by other authors as well, for example[14]. 3 The symbol ≝ denotes equality by definition.
The Reachability Graph (RG) of a CSM automaton is the automaton restricted to
states reachable from sinit: RG ≝ < GS, form, out, sinit >, where: GS S is a set of all
reachable states: (GS ≝ { s : sS sinit R s } { sinit }); formulas on arcs leading out of
a given state s are reduced by the set out(s); all void transitions are removed (domain of
form is restricted to pairs of states belonging to GS).
Let P be a finite set of CSM automata
P≝{pi| i=1..n, pi = <Si, formi, outi, si,init>}
The CSM automaton p = <S, form, out, sinit> is a product of CSM automata from P
(denoted p ≝ piP pi which means p1p2…pn) if sets OUT(pi), i=1..n are pairwise
disjoint and:
S piP Si, ( piP Si denotes Cartesian product S1 S2… Sn);
elements of S (composite states) are tuples of the form: s≝f (sj1, sj2, ..., sjn)
sinit S is a tuple containing si,init of all component automata piP:
sinit ≝ (s1,init, s2,init, ..., sn,init)
for any s S: out(s) ≝ piP outi(sji), sjiSi,
for any pair (s,s') SS, s = (sj1, sj2, ... , sjn); s' = (s'j1, s'j2, ... , s'jn):
form(s,s') ≝ piP formi(sji,s’ji); sji,, s’jiSi ( denotes conjunction).
Note that for a product p of CSM automata p = piP pi: the sets INP(p), OUT(p) and
ALL(p) are unions of sets of component automata, while EXT(p) is not (EXT(p)=
INP(p)- OUT(p)).
The semantics of CSM is defined formally in [7]. A new state of the system is taken
from the transition leading from the current state, according do set of signals on input.
Single-step semantics, path semantics and fair path semantics are defined. From now
on, we deal with fair CSM automata (with fair path semantics).
3 Introduction of real time
A real time is added to CSM model similarly to Alur’s Timed Automata [1] (TA).
The “global time” runs for all automata, getting all values in R+.
Every automaton has a set of clocks, running synchronously with “global time”
or being reset on transitions.
However, there are major differences. The main features of TCSM are:
In TA time elapses in states of an automaton. Because in CSM there is no con-
cept of “staying in a state” other than executing of a self-loop (called an “ear”
due to its graphical image), therefore the flow of time is associated with ears. A
state with no ear is instantaneous, i.e. it is left as soon as reached. As in TA,
only a finite number of instantaneous states may be visited without elapse of
time. A time constraint put on an ear is called invariant (similarly to TA).
Because of the “fairness condition” if there is an escape from a cycle in an au-
tomaton, if must be followed after a finite number of loops in a cycle. There-
fore, a zero-time loop is not a tragedy if the run may diverge from the loop.
Only an ending (with no escape) strongly connected subgraph containing no
ear is invalid. Also, an automaton containing such a subgraph is invalid.
Due to the manner of multiplication of automata, an ending strongly connected
zero-time subgraph may outcome from a product of valid automata.
Every timeless CSM automaton is transition-complete, i.e. it acts “somehow”
in every situation (it never can be “unexecutable”, like TA [1]). Formally, a
sum of all formulas on arcs outgoing from a state must be . In TCSM, to keep
the transition-completeness, all formulas must sum to in every point in time.
The important difference between TCSM and TA is the manner of communica-
tion. In TA, the communication occurs on common letters of alphabet, and the
direction of communication (which automaton is a sender and which is a re-
ceiver) is specified separately. In TCSM, signals (symbols of alphabet) are
generated in states and accepted on transitions, therefore the direction of com-
Fig. 1 . Train-gate controller, Timed CSM
GATE
lower,
y:=0
lower
t0 t1
/down
t3’ /up
raise
y:=0 t2 t3
, y1
raise
, y2
, y1
CONTROLLER
u0 u2 exit,
z:=0 u1
approach,
z:=0
u1’
/lower u2’
/raise
approach*exit
, z<1
, z=1
, z<1
s0
TRAIN
s0’ /approach
s3’ /exit
, x:=0
s2 /passing
, x5
, x>2 , x5
s3
/o
ut , x5
s1
munication is defined strictly. The example of a system of TA (coming from
[2]) converted to TCSM system is presented in Fig. 1. Time dependencies in
TRAIN model physical delays between sensor signals, in CONTROLLER
model reaction times and in GATE model closing and opening time.
4 Definition of TCSM
TCSM automata are based on CSM, therefore only differences will be defined.
Let X be a finite set of clocks (clock variables). Clock constraints are simple con-
straints , xc, cx, x<c, c<x (c is nonnegative real) and Boolean formulas over sim-
ple constraints and (denoted *) The symbol (equals R+) denotes no constraint and
may be skipped.
A clock interpretation (from [1]) assigns a real value to every clock in X; satisfies
constraint over X iff evaluates to true according to the values given by . For R+,
+ denotes the clock interpretation which maps every clock x to the value (x)+ . For
YX, [Y:=0] denotes the clock interpretation for X which assigns 0 to each xY, and
agrees with over the rest of the clocks.
The TCSM automaton is a 5-tuple p ≝ < TS, out, X, lab, sinit >: finite set of timed
states TS (a shortcut t.state will be used); output function out: TS 2U as in CSM; set
of clock variables X; unique initial t.state sinit TS; set of timed transitions lab TS
form (X) 2X TS (a shortcut t.transition will be used, analogously t.ear).
A t.transition <s,w,,,s’> from sS to s’S:
transition function wform triggers the t.transition (as in CSM);
clock constraint (X) specifies when the t.transition is enabled;
set of clocks to be reset X .
As a pair (s,s’) uniquely appoints a t.transition (multiple t.transitions between states are
not allowed), elements of a t.transition are extracted using a notation w(s,s’), (s,s’),
(s,s’).
The TCSM automaton is assumed to be transition-complete, i.e. for any sS and for
every clock interpretation, the disjunction of
Boolean formulas for all t.transitions outgoing
from s is true.
The succession relation cannot be defined for
TCSM, because void transitions may occur due
to clock interpretations allowed in preceding
states (similarly to TA, Region CSM (RCSM),
together with succession relation and reachabil-
ity will be defined in the next section). However,
the product of TCSM can be defined.
Let P be a finite set of TCSM automata
P={pi| i=1..n, pi = <TSi, outi, Xi, labi, si,init>}.
The TCSM automaton p = <TS, out, X, lab, sinit>
is a product of TCSM automata from P (denot-
Fig. 2. TCSM automaton
s4 s5
s3
s1 s2
s0
, x<2 , x2
, x2
, x2 , x1
, x<2 , x<1
ed p ≝ piP pi which means p1p2…pn) if sets OUT(pi), i=1..n are pairwise dis-
joint, sets Xi, i=1..n are pairwise disjoint and:
X ≝ piP Xi,
TS piP TSi;
elements of TS (composite states) are n-tuples of the form:
s ≝ (sj1, sj2, ..., sjn)
sinit TS is a tuple containing si,init of all component automata piP:
sinit ≝ (s1,init, s2,init, ..., sn,init)
for any s TS:
out(s) ≝ piP outi(sji), sjiTSi,
for any t.transition <s,w,,,s’> lab, s = (sj1, sj2, ... , sjn); s' = (s'j1, s'j2, ... , s'jn):
w(s,s’) ≝ piP w(sji,s’ji); sji, s’jiTSi.
(s,s’) ≝ piP (sji,s’ji); sji, s’jiTSi.
(s,s’) ≝ piP (sji,s’ji); sji, s’jiTSi.
The algorithm of obtaining a
product of TCSM automata is
similar to that for CSM [9]
and requires additionally to
take on resulting t.transitions
conjunctions of time con-
straints of component
t.transitions and sums of
clocks to be reset on compo-
nent t.transitions.
Single step semantics of
TCSM can be found in [8].
However, due to lack of
reachability relation for
t.states, path semantics and
fair path semantics cannot be
defined for TCSM.
5 Region CSM
The single step semantics is
not sufficient to express be-
havior of TCSM automata
because of:
time constraints ap-
pearing on transitions
(see Fig. 2 showing a
transition that is per-
Fig. 3. RCSM automaton
s5 R2
s3 R2
s2 R2
s4 R1
s3 R1
s2 R1
s2 R0
s1 R1
s1 R0
s0 R0
s4 R2
s4 R>2 T
s5 R>2 T
s4 R(1,2)
T
s3 R(1,2) T
s2 R(1,2) T
s1 R(0,1) T
s2 R(0,1) T
T
T
T T
T T
T
T
T
T T
T
sisting in CSM but void in TCSM)
a fairness condition imposed on the model (Section 2).
Therefore, a Region CSM automaton is defined which allows to observe succession
relation and to build a Reachability Graph of a TCSM automaton. It is similar to Re-
gion Automaton (RA) of TA [1].
Similarly to RA, constants in time constraints are limited to integral ones (for every
TA with real constraints there exists a similar automaton with integral constraints, see
[1]). Then, by multiplication of all constants by least common multiple of denomina-
tors the set of natural constraints is achieved.
A timed location is a pair (s,). In TCSM, there are infinitely many pairs of timed
locations ((s,),(s’,’)) referring to the same pair of states (s,s’). Building RCSM, we
achieve finite equivalence classes of these transitions. The regions are sets of clock
interpretations that have the same integral part for all clocks and the same fractional
part ordering for all clocks. Clock interpretations that exceed a highest constant cx to
which a clock x is compared in constraints (clock bound) are not divided into regions.
A region is defined over the set of all clock interpretations for X. The automaton of
regions where the succession is defined as succession of regions with operations +
and [Y:=0] is stable, i.e. if 1 and 2 belong to common region and some operation
(+ or[Y:=0]) 1 moves 1 to 1’ then there exists a 2’ such that the same operation
moves 2 to 2’ and 2’ belongs to the same region as 1’. The stability solves the
reachability problems. For example, see Figs. 2 and 3: in TCSM automaton it is not
clear if state s4 is reachable from s2 through s3, and in RCSM automaton it is obvious
that not (but s5 is). Region states in RCSM are pairs (s,R) where s is a state of TCSM
and R is a region. Region index is a range of time interpretations of the clock x in the
region. Transition marked are zero-time (non-ear) and transitions marked T are
progress transitions (ear in TCSM, is skipped).
The proof of region graph stability is given in [2].
Formally [1], for any R+, denotes the fractional part of and denotes
the integral part of ., therefore =+. For two clock interpretations 1 and 2,
they are in common region iff all the following conditions hold (we call them region
integrity conditions):
For all xX, either 1(x) and 2(x) are the same or both 1(x) and 2(x) ex-
ceed cx.
For all x,yX with 1(x) cx and 1(x) cy, 1(x)1(y) iff 2(x)2(y).
For all xX with 1(x) cx, 1(x)=0 iff 2(x)=0.
The succession of regions can be easily formulated due to fixed ordering of clock
interpretations in a region.
The succession of regions (due to progress of time) results from linear change of
values of all clocks (except clocks being reset), and resets of clocks. A region is char-
acterized by a tuple I of integral parts of all clocks (or clock bound if a clock interpre-
tation exceeds it), a set of clocks exceeding their bounds, a set of clocks with fraction-
al parts equal to zero, and sets of clocks with equal, non-zero fractional parts; the
latter sets ordered from greatest to smallest fractional part. The sets are indexed by >
(exceeding bounds), 0 (zero fractional parts), f1,f2,… (non-zero fractional parts, or-
dered from greatest to smallest). For a set X, the sets Y>,Y0,Yf1...Ffm, mn, are pairwise
disjoint, and they sum to X. The rules of succession of regions can be found in [8].
In general, the repertoire of operations over regions must support a succession rela-
tion. For example, to the operations defined in TCSM (+, [Y:=0]) two additional
operations may be added:
assignment of a natural number (if the greatest number assigned is larger than
cx, then cx must be expanded to this value),
increment by a natural number (cx must be enlarged by the greatest number
added).
Both these operations preserve region integrity conditions.
An RCSM automaton is a 5-tuple p ≝ < RS, out, X, lab, sinit >, where:
RS is a finite set of region states (s,R), where s is a TCSM t.state and R is a re-
gion – a set of time interpretations over X (a shortcut r.state will be used for a re-
gion state);
out: RS 2U is a function assigning subsets of signals to r.states; the function out
is called output function; if xout((s,R)) then we say that the signal x is generat-
ed by r.state (s,R);
X – a finite set of clock variables;
(sinit ,R[X:=0]) RS is a unique initial r.state; (R[X:=0] will be denoted Rinit);
a set of region transitions lab RS form 2X RS (a shortcut r.transition will
be used); for an r.transition from r.state (s,R) to (s’,R’) <(s,R),w,,(s’,R’)>:
o wform is a Boolean formula triggering the r.transition as before;
o X is a set of clocks to be reset in this r.transition;
o for an r.transistion <(s,R),w,,(s’,R’)> either s’=s and R’=(R+)[:=0]or
R’=R[:=0].
An r.transition with s=s’ is called progress r.transition, and an r.transition with ss’ is
called zero-time r.transition or action r.transition. As a pair ((s,R),(s’,R’)) uniquely ap-
points an r.transition (multiple r.transitions between states are not allowed), elements of
an r.transition are extracted using notation w((s,R),(s’,R’)), ((s,R),(s’,R’)). A clock con-
straint of an ear is called an invariant or an r.state appointed by the ear.
The RCSM automaton is assumed to be transition-complete, i.e. for any (s,R)RS
and for every clock interpretation that fits the region R, the disjunction of Boolean
formulas w for all r.transitions outgoing from (s,R) is true.
The RCSM automaton is constructed from TCSM using region succession and re-
moving void transitions:
For any constructed r.state (s,R), out((s,R))=out(s).
The initial r.state is (sinit, Rinit).
Construction of RCSM transitions (for w’ see next point):
1. For any constructed r.state (s,R), if there is a t.ear <s,w,,,s> in TCSM,
=, then construct a progress self-loop (r.ear) from (s,R) to (s,R):
<(s,R),w’,,(s,R)>.
2. For any constructed r.state (s,R), if there is a t.ear <s,w,,,s> in TCSM,
, then construct a progress r.transition from (s,R) to (s,R’):
<(s,R),w’,,(s,R’)>, R’=R[:=0].
3. For any constructed r.state (s,R), if there is a t.ear <s,w,,,s> in TCSM,
and if agrees with R, and if R’R is a successor of R with [:=0], then
construct a successor (s,R’), and a progress r.transition
<(s,R),w’,,(s,R’)>.
4. For any constructed r.state (s,R) and any t.transition <s,w,,,s’>, s’s in
TCSM, if agrees with R, then construct an r.state (s’,R’) and a zero-time
r.transition <(s,R),w’,,(s’,R’)> where R’=R[:=0].
The formula w in every constructed transition is reduced by out(s):
w’=w\\out(s) and if the result is then the transition is rejected.
The rules of RCSM construction guarantee that only reachable part of the graph of the
system remains. Some transitions are discarded due to time constraints and some due
to output signals are being or not being generated.
Having the succession relation between r.states defined, we may define succession
and reachability in RCSM. Succession will be defined for RCSM just as for CSM,
taking conjunction of outgoing r.transitions with the output formula.
Given a pair of RCSM automaton r.states belonging to RS, ((s,R),(s',R’)) TSTS,
r.state (s,R’)' is a region successor of (s,R) iff form((s,R), (s',R’)) * ((s,R)) . The
region succession relation is denoted s rr s’.
Region Reachability relation (denoted RR) is a transitive extension of rr.
The Region Reachability Graph (RRG) of a RCSM automaton is the automaton
restricted to r.states reachable from (sinit,Rinit). As the construction of RCSM from
TCSM keeps only reachable states, RRG is simply equal to RCSM.
The single step semantics, path semantics and fair path semantics are defined quite
similarly to that of CSM and can be found in [8].
6 Product of region automata
The disadvantage of “traditional” method of verification is that the whole system of
timed automata must be multiplied by every new testing automaton constructed, and
then RCSM may be constructed from the product. It is because a multiplication of
region automata is not defined for TA (perhaps the reason is interleaving nature of
product of TA, which cannot be applied to regions). The product of RCSM is defined
below.
Let P be a finite set of RCSM automata P={pi| i=1..n, pi = <RSi, outi, Xi, labi, (si,init,
Ri,init)>}. The RCSM automaton p = <RS, out, X, lab, (sinit, Rinit)> is a product of RCSM
automata from P (denoted p ≝ piP pi which means p1p2…pn) if sets OUT(pi),
i=1..n are pairwise disjoint, sets Xi, i=1..n are pairwise disjoint and:
X ≝ piP Xi,
RS piP RSi, ( piP RSi denotes Cartesian product RS1 RS2… RSn);
elements of RS (composite states) are pairs of the form:
(s,R) ≝ ((sj1, sj2, ..., sjn),R), R is a region over X;
R|i is a projection of R onto a set of clocks Xi:
q0 q1
/error
passing * lowered
passing + lowered
Fig. 4. Testing automaton
R|i={I,Y>,Y0,Yf1,…,Yfm}|i = {Ii,Y>i,Y0i,Yf1i,…,Yfmi},
where Ii is a tuple of integral parts of clocks restricted to Xi, all sets indexed by
i are conjuncted with Xi, then empty sets Yfji are extracted;
for any (s,R) RS:
out((s,R)) ≝ piP outi(sji)), sjiRSi,
construction of r.transitions:
1. Initial r.state (sinit, Rinit) RS contains si,init of all component automata piP:
sinit ≝ (s1,init, s2,init, ..., sn,init),
Rinit ≝ R[X:=0];
2. For any already constructed r.state (s,R), s=(s1,…,sn): take every set of
r.transitions of a form H={h1, …,hn} outgoing from (s1,R|1), …, (sn,R|n) in
component RCSM automata p1…pn; for every H, H ≝f hiH i.
3. If a set H contains only progress r.transitions hi, then for one or both region
successors of R (one of them is R[H:=0], the other one is R’R – a pro-
gress successor of R with [H:=0],) construct progressive r.transitions:
o <(s,R),w,,(s,R[:=0])> (a progress r.ear),
o <(s,R),w,,(s,R’[:=0])> (a progress r.transition with R’R), where w
is a conjunction of wi in all r.transitions belonging to H, reduced by
out((s,R)).
4. If a set H contains at lest one action r.transition, then construct an r.state
s’=(s1’, …, sn’) in which for every action r.transition hi, the state si’ is a target
state of the r.transition hi, and for every progress r.transition hi, si’=si. Then,
construct an action r.transition <(s,R),w,,(s’,R[H:=0])>, where w is
a conjunction of wi of all transitions belonging to H reduced by out((s,R)).
If w in any constructed transition is equal to , then the transition is rejected (and
a state constructed in p.4 as well).
Multiplication of RCSM automata makes it possible to store a set of automata specify-
ing a concurrent system in a form of product RCSM automaton, and multiply it by
various testing RCSM automata for verification of desired features. RCSM of system
under test once calculated, does not change. Such a procedure cannot be performed if
a product of RCSM automata does not exist, in such situation every TCSM test au-
tomaton must be multiplied by
TCSM system and then RCSM
must be calculated.
7 Example verification
TCSM may be used for model
checking of temporal proper-
ties [3]. For example, Alur in
[1] defines a correctness condition for a system shown in Fig. 1: if the TRAIN is in
s2’, the GATE should be in t2. This condition can be verified for the system as fol-
lows:
add a signal passing to the t.state s1’,
add a signal lowered to the t.state t2,
construct a testing automaton shown in Fig. 4.
The verification consists of the following steps (the case is safety property):
multiplication of timed automata TRAIN, GATE and CONTROLLER, calcu-
lation of system RCSM;
conversion of testing automaton (Fig. 4) to testing RCSM;
calculation of RCSM as product of system RCSM with testing RCSM;
reduction of the product [7,11,12,13];
observation of the result, the t.state q1 (safety condition) occurs unreachable as
needed.
8 Conclusions
CSM automata allow modeling of real parallelism, without interleaving in concurrent
systems. Timed CSM enhances the formalism to real-time delays .The presented veri-
fication technique over TCSM makes it possible to verify concurrent systems with
user-specified or automatically generated testing automata. The definition of product
of RCSM (which is not defined for Region Automata) allows to store a system under
verification in a form ready-to-multiplication with testing automata.
The verification is based on multiplying system RCSM with testing RCSM, reduc-
ing the obtained product and searching for reachability of given states (safety proper-
ties) or checking the stuttering of given symbols in reduced product (liveness proper-
ties).
9 Future work
In further research, a verification will be expanded to zone CSM (corresponding to
zone automata), which will allow to store state spaces in more compact form.
References
1. Alur, R. Dill D. L., “A Theory of Timed Automata”, in Theoretical Computer Science, Vol.
126 (1994) 183-235
2. Alur, R., “Timed Automata.” in 11th International Conference on Computer-Aided Verifi-
cation, LNCS 1633, Springer-Verlag, (1999) 8-22
3. Alur E., Courcoubetis C., Dill D. L., “Model-checking in dense real-time” in Information
and Computation, Vol 104, No.1 (1993).2-34
4. Daszczuk W. B., “Verification of Design Decisions in Communication Protocol by Evalua-
tion of Temporal Logic Formulas”, Institute of Computer Science, WUT, ICS Research Re-
port No 22 (1998)
5. Daszczuk W. B., Mieściski J., Nowacki M., Wytrębowicz J., “System Level Specification
and Verification Using Concurrent State Machines and COSMA Environment”, Proc. 8th
International Conference on Mixed Design of Integrated Circuits and Systems, MIXDES
2001, June 21-23, Zakopane, Poland (2001) 525-532
6. Daszczuk W. B., Grabski W., Mieściski J., Wytrębowicz J., “System Modeling in the
COSMA Environment”, Proc. Euromicro Symposium on Digital Systems Design – Archi-
tectures, Methods and Tools, September 4-6, Warsaw, Poland, IEEE Computer Society, Los
Alamos, CA (2001) 152-157
7. Daszczuk W. B., ”Verification of Temporal Properties in Concurrent Systems”, Ph.D. the-
sis, Warsaw University of Technology (2003)
8. Daszczuk W.B., “Timed Concurrent State Machines”, Institute of Computer Science, WUT,
ICS Research Report No 27 (2003)
9. Mieścicki J., “Concurrent System of Communicating Machines”, Institute of Computer
Science, WUT, ICS Research Report No 35 (1992)
10.Mieścicki J., Baszun M., Daszczuk W. B., Czejdo B.. “Verification of Concurrent Engineer-
ing Software Using CSM Models”, Proc.2nd World Conf. on Integrated Design and Process
Technology, Austin, Texas, USA, 1-4 Dec.(1996) 322–330
11.Mieścicki J., Zejdo B., Daszczuk W. B., Model checking in the COSMA environment as a
support for the design of pipelined processing. Proc. European Congress on Computational
Methods in Applied Sciences and Engineering ECCOMAS 2004, Jyväskylä, Finland, 24—
28 July 2004.
12.Mieścicki J., Zejdo B., Daszczuk W. B., Multi-phase model checking of a three-stage pipe-
line using the COSMA tool, Proc. European Congress on Computational Methods in Ap-
plied Sciences and Engineering ECCOMAS 2004, Jyväskylä, Finland, 24-28 July (2004).
13.Mieścicki J., Verification of UML State Diagrams Using Concurrent State Machines,
submitted (and accepted) for IFIP Working Conference on Software Engineering Tech-
niques SET’2006, October 17-20, 2006, Warsaw, Poland.
14.Zhang Z., „An Approach to Hierarchy Model Checking via Evaluating CTL Hierarchically“,
in Proc. of the 4th Asian Test Symposium, ATS’95, IEEE (1995) 45-49
top related